Permalink
Browse files

builder: Disable docker's iptables handling

Ship the entire docker iptables configuration via ferm.
This is to make sure docker and ferm play nice together.
For now we only want this on builder hosts, which is why we don't put it in
profile::docker::engine. This relies on settings iptables: false in docker

Change-Id: I8db5ebfb637a3d7492c9ae5c554f5d7446dfb74f
  • Loading branch information...
akosiaris committed Oct 24, 2017
1 parent 1bf2f62 commit 74050c6233c8b5ae291d3d7f5131a587941c50ac
@@ -3,6 +3,7 @@ profile::docker::engine::version: "1.12.6-0~debian-jessie"
profile::docker::engine::declare_service: true
profile::docker::engine::settings:
live-restore: true
iptables: false
profile::docker::builder::proxy_address: "webproxy.%{::site}.wmnet"
profile::docker::builder::proxy_port: "8080"
monitor_screens: false
@@ -0,0 +1,43 @@
domain ip {
table filter {
chain FORWARD {
policy ACCEPT;
jump DOCKER-ISOLATION;
outerface docker0 jump DOCKER;
outerface docker0 mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT;
interface docker0 outerface !docker0 ACCEPT;
# I am currently missing the point of this, just porting it
interface docker0 outerface docker0 ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
}
# Empty chain in our case, just port it
chain DOCKER {
}
# Mostly empty chain, just port it
chain DOCKER-ISOLATION {
RETURN;
}
}
table nat {
chain PREROUTING {
policy ACCEPT;
mod addrtype dst-type LOCAL jump DOCKER;
}
chain INPUT {
policy ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
mod addrtype dst-type LOCAL daddr !127.0.0.0/8 jump DOCKER;
}
chain POSTROUTING {
policy ACCEPT;
outerface !docker0 saddr 172.17.0.0/16 MASQUERADE;
}
chain DOCKER {
interface docker0 RETURN;
}
}
}
@@ -53,4 +53,14 @@
group => 'root',
mode => '0500'
}

# Ship the entire docker iptables configuration via ferm
# This is here to make sure docker and ferm play nice together.
# For now we only want this on builder hosts, which is why we don't put it in
# profile::docker::engine. This relies on settings iptables: false in docker
ferm::conf { 'docker-ferm':
ensure => present,
prio => 20,
source => 'puppet:///modules/profile/docker/builder-docker-ferm',
}
}

0 comments on commit 74050c6

Please sign in to comment.